Let's say you setup two workflows, one with a master trigger to kick of your AppStore workflow. This will sign your apps with the distribution profile and a trigger with * to kick of your normal Primary workflow that builds and deploys your app to the testers. On both workflows you can setup an Xcode Archive step, update the needed signing and you are ready to go.

This will create the required IPA's for you, but there is an easier way!

Instead of running multiple Xcode Archive steps, setup your project to sign your apps with Automatic > iOS Developer and upload a wildcard provisioning profile. ( You can even use our own preinstalled certificate and provisioning profile for that if you don't set the team id. )

When you want to deploy your app to the QA team or to App Store, add the iOS Re-sign step to your workflow and set your iTunes team ID with the required distribution. It will simply re-sign your IPA and your are ready to go, without the need of manually handling different versions of settings in your project, or burning build minutes.

Here you can find a sample bitrise.yml that will resign your app and deploy it to iTunes Connect if you are deploying to the master branch